MOUNDS VIEW, Minn. – In a move to satisfy regulators' demand for multi-factor authentication for online baking, Cavion Plus is rolling out its Software Token authentication solution as part of Version 3.3 of its Internet Banking software. It goes without saying that criminals – cyber or otherwise – will always seek the greatest vulnerability. So as credit unions have battle-hardened the security on their home banking systems, cyber criminals have increasingly turned to phishing in attempt to gain online access to member accounts. In October of 2005, the Federal Financial Institutions Examination Council (FFIEC) issued guidelines regarding online authentication. These guidelines suggest that single-factor authentication – i.e., a member typing a user name and password – is not adequate in today's environment. These guidelines call for financial institutions to institute some sort of multi-factor authentication process by the end of 2006. Multi-factor authentication assures the credit union that a legitimate member is accessing the online banking system, and also assures the member that he or she is indeed visiting the legitimate credit union Web site. In the ensuing months, a number of security companies have introduced multi-factor authentication products that credit unions can add on to their Internet banking systems. However, with the introduction of version 3.3 of its Internet banking system, Cavion Plus has integrated multi-factor authentication directly into its software. Although multi-factor authentication is ultimately designed to protect the credit union member from himself, Cavion Plus President John Mattes claims that failure to provide such protection could in fact damage the trust relationship between the member and the credit union. “You can provide members with all the information and all the tools,” says Mattes, “but still some members will blame their credit union. You could have done more; you should have done more.” Members who avoid being successfully phished due to the credit union's multi-factor authentication will surely appreciate the extra effort. On the other end of the spectrum, however, are the technologically sophisticated members who may feel quite comfortable with single-factor authentication and don't care to make the extra effort, albeit minor, that multi-factor authentication requires. “Credit unions have always been about choices,” adds Mattes, “so we give our customers choices when it comes to multi-factor authentication.” He says that credit unions can, for example, turn off multi-factor authentication for member groups that it deems appropriate, or even for individual members who request it. According to Cavion Plus CTO Jeff Marshall, one challenge in developing such a product is making sure that it provides adequate security while remaining as simple as possible for the member. He claims that Cavion Plus has succeeded in this respect. “We've tried hard to make it palatable,” says Marshall. “We worked very hard to make it not too intrusive.” Using the Cavion Plus multi-factor authentication system, logging onto the home banking system requires two or three steps from the credit union member. First, the member types the user name or member number and also types a security code that is presented to the member as a graphic (see figure 1). The security code assures the server that a real person rather than a hacker's computer program is attempting to access the system. If the PC has not been registered, the member is presented with a challenge question to which only he or she knows the answer (see figure 2). In the final step, the member types the appropriate PIN (see figure 3). At this point, the member is also presented with a security key word presented as a graphic. This is a word selected by the member during signup for home banking. “The security key is a shared secret,” says Marshall. “Only the server and the member know what it is.” Presentation of the correct security key assures the member prior to typing the PIN that he or she is truly at the credit union's Web site. During this step, the member also has the option to register the computer. If the member elects to register the computer, the system places a cookie on that computer. For all subsequent log-ons from that computer, the system will skip the challenge question. Marshall says it's important to let credit union members know that registering a computer is not absolute. The registration cookie could be deleted for whatever reason, or the member might choose to use a different brand of Web browser. Either one of these would require re-registration of the computer. While this software-based, multi-factor authentication is available now, Mattes says that Cavion Plus is also evaluating partners to develop a hardware-based version that could, for example, include biometrics or a fob that plugs into a USB port.